[Owasp-leaders] Professionalism and the Future of OWASP

johanna curiel curiel johanna.curiel at owasp.org
Fri May 20 16:32:29 UTC 2016

We need a volunteer management program folks

Agree with Josh and Simon

I'm running for the board and I  will like to focus on this

Any serious non profit volunteer based corporation has it

On Friday, May 20, 2016, psiinon <psiinon at gmail.com> wrote:

> Hey Josh,
> Thanks for starting this discussion :)
> I agree with many of your points, but (as you allude to) OWASP doesnt
> actually have that many direct resources at the moment, and by that I mean
> employees.
> Pretty much all of the security work (as opposed to the very valuable and
> necessary organisational work) is performed by volunteers.
> Volunteers choose where they spend their time, so a huge part of a CTO
> role would be trying to sell the direction chosen. Not an easy task :/
> I think it would be great if OWASP could align itself behind a limited set
> of projects, but I worry that this might be really hard to achieve.
> ZAP is the most popular and active OWASP code project, but right now 3 of
> us have made the vast majority of enhancements that will be going into the
> next release. And 2 out of the 3 are paid to work on ZAP by other open
> source based organisations ;)
> Anyone have any ideas how we can encourage volunteers to focus on specific
> projects rather than spreading all of our efforts across 100s of them?
> Cheers,
> Simon
> On Fri, May 20, 2016 at 4:50 PM, Josh Sokol <josh.sokol at owasp.org
> <javascript:_e(%7B%7D,'cvml','josh.sokol at owasp.org');>> wrote:
>> OWASP Board, Staff, and Leaders,
>> I wanted to take a moment to address the elephant in the room.  When I
>> look at the front page of owasp.org, I am drawn to a statement that
>> OWASP is "operating as a community of like-minded professionals".
>> Unfortunately, when I look at the reality of OWASP, I feel like we have
>> moved more in the direction of a clubhouse political debate than an
>> organization of like-minded professionals.  Don't get me wrong.  I consider
>> differing views and conversations about change to be a good thing, but
>> frequently these debates have devolved into profanity and personal
>> attacks.  That is not professional and completely inappropriate.  The
>> biggest benefit of our mailing list is that it gives you time to fully
>> think through not only your words, but also their interpretation, before
>> you "speak" them.  Passion is great, but at the end of the day we still
>> need to work with eachother, so professionalism needs to trump passion.
>> OWASP is a 501c3 not-for-profit *CORPORATION*.   Just because our goal
>> is not to make a profit, doesn't mean that we shouldn't act like a
>> corporation.  And when you consider the size of our volunteer base, our
>> revenue, and our global reach, we are a relatively large corporation.  And
>> like a corporation, we have a Board of Directors, we have policies,
>> guidelines, and a mission statement.  But if any other corporation acted
>> the way that we do, they would not be in business for very long.  Can you
>> imagine a global brand like Dell with every stakeholder doing their own
>> thing under the same banner?  You'd have 1,000 different laptop models with
>> different looks, feel, functionality, documentation, and zero consistency.
>> From the outside looking in, as a consumer, it would be pure madness.  More
>> than enough to drive your business into the hands of someone else.  Yet,
>> that is the state of OWASP today.  Fortunately, it doesn't have to be the
>> future.
>> I would like to hope that every one of you is here because you believe in
>> OWASP's mission statement of improving the security of software.  The
>> challenge is that every one of us has a different opinion on how to
>> accomplish that.  Each opinion is every bit as valid as the next, but like
>> any other business, we need to prioritize our limited resources on the
>> strategic initiatives that will give us the biggest bang for our buck.  In
>> my opinion, this prioritization process is an area that OWASP has done a
>> poor job of in the past.  It is the purpose of the OWASP Board of Directors
>> to align our available resources to accomplish a common goal and, to date,
>> we have done little more than provide a handful of resources to a handful
>> of people, in order to accomplish some goals that are tangential to our
>> business.  The result is not bad, but I do question whether OWASP is living
>> up to it's potential.  And without strategic alignment, it's no wonder why
>> our stakeholders are in routine conflict.  That's what happens when
>> everyone has a different idea of how to accomplish a goal.
>> Nobody wants a problem without a solution.  I mentioned in a separate
>> thread that I feel like the time has come for OWASP to have a formal CTO
>> position.  I envision this as a person well qualified and vetted in the
>> field of Application Security so that they can do a thorough analysis of
>> the space, talk with our stakeholders, and identify documentation, tools,
>> etc where OWASP can fill a need.  They would then be responsible for
>> creating that projects vision and aligning our resources in order to drive
>> it to completion.  This is not a "Project Manager" role, this is a business
>> strategy and technical architecture role.  Volunteers would still be free
>> to follow their passion, but hopefully they could find one of these
>> strategic projects to align themselves with.  And with a common vision and
>> goal in mind, hopefully it would reduce contention amongst our impassioned
>> community.  In my opinion, its time for OWASP to stop thinking like a club
>> and start thinking like a business and I feel like this is necessary to get
>> us there.
>> I don't see the other projects going away under this model.  OWASP can
>> still provide a home and limited resources for them under our brand
>> umbrella.  We would just be making the conscious decision to allocate the
>> majority of our project resources in order to accomplish some very specific
>> strategic initiatives.  The volunteer would still be free to choose how to
>> contribute and how much effort they can put in.
>> Thoughts on this model for the future of OWASP?  At this point, it's
>> mostly an idea in my head, not well-socialized, but this is my attempt to
>> try to put it out there for consumption and feedback.  I'm open to your
>> additional ideas and suggestions.  Let's just agree to keep it
>> professional.  Thank you.
>> ~josh
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> <javascript:_e(%7B%7D,'cvml','Owasp-board at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160520/ff6da44d/attachment-0001.html>

More information about the OWASP-Leaders mailing list